If you are using the Single User Login Identity Provider (SULIP), then you cannot configure any authorizations. SULIP is there to make it easy for developers to start NiFi with a single and unique user that needs authentication with login/password. However this user is granted full permissions and is the only user able to authenticate. See more details here [1].
If that is the way you want to configure NiFi, then I recommend starting with a fresh install (default configuration files, default authorizers, default login identity provider, delete users.xml file). When NiFi starts for the first time, it will generate a user/password for the initial admin and the credentials will be indicated in nifi-app.log when NiFi starts for the first time. If you want to specify your own user/password, then you can use this command: $ ./bin/nifi.sh set-single-user-credentials <username> <password> [1] https://nifi.apache.org/nifi-docs/administration-guide.html#single_user_identity_provider Le dim. 3 août 2025 à 04:04, [email protected] <[email protected]> a écrit : > > Hi Pierre, > > Thank you again for your continued help. I have implemented your last > suggestion regarding the 'Initial Admin Identity' in my `authorizers.xml` > file. > > The application now starts without the previous error. However, a new error > is appearing on the login page. > > I am getting an "Invalid username and password" error when trying to log in > with "admin-user". The `nifi-user.log` shows `Password verification failed`. > > I have reviewed my `login-identity-providers.xml` file and found a possible > mismatch. The user was defined by a UUID, while my `authorizers.xml` file > uses "admin-user". > > I have updated the `login-identity-providers.xml` file to use `admin-user` > and also added a test password. > > Here is the content of my `login-identity-providers.xml` file for your review: > > --- > login-identity-providers.xml > --- > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?><!-- > Licensed to the Apache Software Foundation (ASF) under one or more > contributor license agreements. See the NOTICE file distributed with > this work for additional information regarding copyright ownership. > The ASF licenses this file to You under the Apache License, Version 2.0 > (the "License"); you may not use this file except in compliance with > the License. You may obtain a copy of the License at > http://www.apache.org/licenses/LICENSE-2.0 > Unless required by applicable law or agreed to in writing, software > distributed under the License is distributed on an "AS IS" BASIS, > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. > See the License for the specific language governing permissions and > limitations under the License. > --><!-- > This file lists the login identity providers to use when running > securely. In order > to use a specific provider it must be configured here and it's identifier > must be specified in the nifi.properties file. > --><loginIdentityProviders> > <!-- > Single User Login Identity Provider supporting automated generation > of Username and Password > > The provider will write the following log messages when 'Username' > and 'Password' are empty: > > Generated Username [USERNAME] > Generated Password [PASSWORD] > > The 'Username' will be a random UUID and the 'Password' will be > stored using bcrypt hashing > --> > <provider> > <identifier>single-user-provider</identifier> > > <class>org.apache.nifi.authentication.single.user.SingleUserLoginIdentityProvider</class> > <property name="User">admin-user</property> > <property name="Initial User > Password">NiFi_P@ssw0rd!123</property> > </provider> > <!-- > Identity Provider for users logging in with username/password against > an LDAP server. > > 'Authentication Strategy' - How the connection to the LDAP server is > authenticated. Possible > values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS. > > 'Manager DN' - The DN of the manager that is used to bind to the LDAP > server to search for users. > 'Manager Password' - The password of the manager that is used to bind > to the LDAP server to > search for users. > > 'TLS - Keystore' - Path to the Keystore that is used when connecting > to LDAP using LDAPS or START_TLS. > 'TLS - Keystore Password' - Password for the Keystore that is used > when connecting to LDAP > using LDAPS or START_TLS. > 'TLS - Keystore Type' - Type of the Keystore that is used when > connecting to LDAP using > LDAPS or START_TLS such as PKCS12. > 'TLS - Truststore' - Path to the Truststore that is used when > connecting to LDAP using LDAPS or START_TLS. > 'TLS - Truststore Password' - Password for the Truststore that is > used when connecting to > LDAP using LDAPS or START_TLS. > 'TLS - Truststore Type' - Type of the Truststore that is used when > connecting to LDAP using > LDAPS or START_TLS such as PKCS12. > 'TLS - Client Auth' - Client authentication policy when connecting to > LDAP using LDAPS or START_TLS. > Possible values are REQUIRED, WANT, NONE. > 'TLS - Protocol' - Protocol to use when connecting to LDAP using > LDAPS or START_TLS. (i.e. TLS, > TLSv1.1, TLSv1.2, etc). > 'TLS - Shutdown Gracefully' - Specifies whether the TLS should be > shut down gracefully > before the target context is closed. Defaults to false. > > 'Referral Strategy' - Strategy for handling referrals. Possible > values are FOLLOW, IGNORE, THROW. > 'Connect Timeout' - Duration of connect timeout. (i.e. 10 secs). > 'Read Timeout' - Duration of read timeout. (i.e. 10 secs). > > 'Url' - Space-separated list of URLs of the LDAP servers (i.e. > ldap://<hostname>:<port>). > 'User Search Base' - Base DN for searching for users (i.e. > CN=Users,DC=example,DC=com). > 'User Search Filter' - Filter for searching for users against the > 'User Search Base'. > (i.e. sAMAccountName={0}). The user specified name is inserted > into '{0}'. > > 'Identity Strategy' - Strategy to identify users. Possible values are > USE_DN and USE_USERNAME. > The default functionality if this property is missing is USE_DN > in order to retain > backward compatibility. USE_DN will use the full DN of the user > entry if possible. > USE_USERNAME will use the username the user logged in with. > 'Authentication Expiration' - The duration of how long the user > authentication is valid > for. If the user never logs out, they will be required to log > back in following > this duration. > --> > <!-- To enable the ldap-provider remove 2 lines. This is 1 of 2. > <provider> > <identifier>ldap-provider</identifier> > <class>org.apache.nifi.ldap.LdapProvider</class> > <property name="Authentication Strategy">START_TLS</property> > > <property name="Manager DN"></property> > <property name="Manager Password"></property> > > <property name="TLS - Keystore"></property> > <property name="TLS - Keystore Password"></property> > <property name="TLS - Keystore Type"></property> > <property name="TLS - Truststore"></property> > <property name="TLS - Truststore Password"></property> > <property name="TLS - Truststore Type"></property> > <property name="TLS - Client Auth"></property> > <property name="TLS - Protocol"></property> > <property name="TLS - Shutdown Gracefully"></property> > > <property name="Referral Strategy">FOLLOW</property> > <property name="Connect Timeout">10 secs</property> > <property name="Read Timeout">10 secs</property> > > <property name="Url"></property> > <property name="User Search Base"></property> > <property name="User Search Filter"></property> > > <property name="Identity Strategy">USE_DN</property> > <property name="Authentication Expiration">12 hours</property> > </provider> > To enable the ldap-provider remove 2 lines. This is 2 of 2. --> > > <!-- > Identity Provider for users logging in with username/password against > a Kerberos KDC server. > > 'Default Realm' - Default realm to provide when user enters > incomplete user principal (i.e. NIFI.APACHE.ORG). > 'Authentication Expiration' - The duration of how long the user > authentication is valid for. If the user never logs out, they will be > required to log back in following this duration. > --> > <!-- To enable the kerberos-provider remove 2 lines. This is 1 of 2. > <provider> > <identifier>kerberos-provider</identifier> > <class>org.apache.nifi.kerberos.KerberosProvider</class> > <property name="Default Realm">NIFI.APACHE.ORG</property> > <property name="Authentication Expiration">12 hours</property> > </provider> > To enable the kerberos-provider remove 2 lines. This is 2 of 2. --> > </loginIdentityProviders> > --- > > Do you have any further suggestions on what might be causing the login to > fail, even with this change? > > Thank you for your time. > > Best Regards, > > Dana > > > ________________________________ > From: Pierre Villard <[email protected]> > Sent: Saturday, August 2, 2025 5:29 PM > To: [email protected] <[email protected]> > Cc: [email protected] <[email protected]> > Subject: Re: [NIFI-2.5.0] Persistent startup error: Element 'user' must have > no character or element information item > > The identifier is something that is purely internal to NiFi. In your > configuration files you'd reference the admin user by its identity, > not its identifier. So you'd need: > > <property name="Initial Admin Identity">admin-user</property> > > In your authorizers.xml file, where appropriate. > > Please note that a successful configuration also depends on how you > have configured login-identity-providers.xml. > > At a high level, your login identity provider would persist users and > groups in your users.xml file that would be used by your authorizers > and then applied against to define your policies. > > Le sam. 2 août 2025 à 02:47, [email protected] > <[email protected]> a écrit : > > > > Hi Pierre, > > > > Thank you again for your continued help. > > > > I have performed a final check on all of my configuration files, and I am > > still seeing the same error. > > > > Here is what I have confirmed: > > > > 1. The UUID in my `authorizers.xml` and `users.xml` files are an exact, > > character-for-character match. > > > > 2. The `nifi.properties` file correctly references `managed-authorizer`. > > > > 3. I have checked for a different NiFi installation and confirmed I am > > running the correct one. > > > > Given that all configuration files are correct, I am still at a loss as to > > what is causing the `Unable to locate initial admin` error. > > > > Below is `authorizers.xml` and `users.xml` files for your review. > > > > authorizers.xml > > --------------- > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > > <authorizers> > > <userGroupProvider> > > <identifier>file-user-group-provider</identifier> > > <class>org.apache.nifi.authorization.FileUserGroupProvider</class> > > <property name="Users File">./conf/users.xml</property> > > </userGroupProvider> > > > > <accessPolicyProvider> > > <identifier>file-access-policy-provider</identifier> > > > > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> > > <property name="User Group > > Provider">file-user-group-provider</property> > > <property name="Authorizations > > File">./conf/authorizations.xml</property> > > <property name="Initial Admin > > Identity">b64b7120-1d20-4b10-9cd8-f53a0502167b</property> > > </accessPolicyProvider> > > > > <authorizer> > > <identifier>managed-authorizer</identifier> > > > > <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> > > <property name="Access Policy > > Provider">file-access-policy-provider</property> > > <property name="User Group > > Provider">file-user-group-provider</property> > > <property name="Initial Admin > > Identity">b64b7120-1d20-4b10-9cd8-f53a0502167b</property> > > </authorizer> > > </authorizers> > > ---- > > > > users.xml > > --- > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > > <tenants> > > <groups/> > > <users> > > <user identifier="b64b7120-1d20-4b10-9cd8-f53a0502167b" > > identity="admin-user" /> > > </users> > > </tenants> > > --- > > > > Do you have any other suggestions, or could this be an issue with my local > > environment? > > > > Thank you for your time. > > > > Best Regards, > > > > Dana > > > > > > > > ________________________________ > > From: Pierre Villard <[email protected]> > > Sent: Friday, August 1, 2025 11:05 PM > > To: [email protected] <[email protected]> > > Cc: [email protected] <[email protected]> > > Subject: Re: [NIFI-2.5.0] Persistent startup error: Element 'user' must > > have no character or element information item > > > > This is now an entirely different issue: > > > > Caused by: > > org.apache.nifi.authorization.exception.AuthorizerCreationException: > > Unable to locate initial admin b64b7120-1d20-4b10-9cd8-f53a0502167b to > > seed policies > > > > This error is usually because there is a mismatch on how you > > configured your initial admin in authorizers.xml and how your > > corresponding user is specified in users.xml. > > > > Le ven. 1 août 2025 à 17:39, [email protected] > > <[email protected]> a écrit : > > > > > > Hi Pierre, > > > > > > Thank you again for your quick response and for providing the correct > > > format for users.xml. > > > > > > I have applied the fix you provided. However, I am still getting an error > > > after several more troubleshooting steps. > > > > > > Here is what I have done since my last email: > > > > > > 1. I have updated the users.xml file to the exact attribute-based format > > > you provided. > > > 2. I have deleted the authorizations.xml file and the entire work > > > directory. > > > 3. I have restarted NiFi, forcing it to rebuild all its files from > > > scratch. > > > > > > Despite all these steps, I am still getting the same error. > > > > > > The log shows the following: > > > > > > --- > > > 2025-08-01 22:25:58,193 ERROR [main] o.s.web.context.ContextLoader > > > Context initialization failed > > > org.springframework.beans.factory.UnsatisfiedDependencyException: ... > > > Caused by: org.springframework.beans.factory.BeanCreationException: Error > > > creating bean with name 'authorizer': FactoryBean threw exception on > > > object creation > > > ... > > > Caused by: > > > org.apache.nifi.authorization.exception.AuthorizerCreationException: > > > Unable to locate initial admin b64b7120-1d20-4b10-9cd8-f53a0502167b to > > > seed policies > > > ... > > > --- > > > > > > Given that the users.xml file is now in the correct format, I am very > > > confused as to why the error persists. It seems the issue might be beyond > > > a simple configuration file problem. > > > > > > Do you have any further suggestions, perhaps related to a system-level or > > > environment-specific issue? > > > > > > Thank you for your time and continued assistance. > > > > > > Best Regards, > > > > > > Dana > > > > > > > > > ________________________________ > > > From: Pierre Villard <[email protected]> > > > Sent: Friday, August 1, 2025 9:12 PM > > > To: [email protected] <[email protected]> > > > Cc: [email protected] <[email protected]> > > > Subject: Re: [NIFI-2.5.0] Persistent startup error: Element 'user' must > > > have no character or element information item > > > > > > You should define the users as below: > > > > > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > > > <tenants> > > > <groups/> > > > <users> > > > <user identifier="b64b7120-1d20-4b10-9cd8-f53a0502167b" > > > identity="admin-user" /> > > > ... > > > </users> > > > </tenants> > > > > > > Hope this helps, > > > Pierre > > > > > > Le ven. 1 août 2025 à 16:05, [email protected] > > > <[email protected]> a écrit : > > > > > > > > Hi Pierre, > > > > > > > > Thank you for the quick reply. > > > > > > > > Here is the content of my users.xml file, as requested. > > > > > > > > --- > > > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > > > > <tenants> > > > > <groups/> > > > > <users> > > > > <user> > > > > > > > > <identifier>b64b7120-1d20-4b10-9cd8-f53a0502167b</identifier> > > > > <identity>admin-user</identity> > > > > </user> > > > > </users> > > > > </tenants> > > > > --- > > > > > > > > I appreciate your help in looking into this. > > > > > > > > Thank you. > > > > > > > > Best Regards, > > > > > > > > Dana > > > > > > > > ________________________________ > > > > From: Pierre Villard <[email protected]> > > > > Sent: Friday, August 1, 2025 5:59 PM > > > > To: [email protected] <[email protected]> > > > > Subject: Re: [NIFI-2.5.0] Persistent startup error: Element 'user' must > > > > have no character or element information item > > > > > > > > Hi Dana, > > > > > > > > Can you share the (redacted if needed) content of users.xml file? > > > > > > > > Thanks, > > > > Pierre > > > > > > > > Le ven. 1 août 2025 à 12:39, [email protected] > > > > <[email protected]> a écrit : > > > > > > > > > > Hello everyone, > > > > > > > > > > I'm trying to set up a new instance of Apache NiFi 2.5.0 with > > > > > security enabled for a new project. > > > > > > > > > > I have been running into a persistent startup error and am looking > > > > > for some guidance. > > > > > > > > > > Environment Details > > > > > > > > > > NiFi Version: 2.5.0 > > > > > Java : openjdk version "21.0.7" > > > > > OS : Windows 10 Home > > > > > > > > > > The Problem Description > > > > > > > > > > The application fails to start with the following error: > > > > > 2025-08-01 16:53:11,024 ERROR [main] o.s.web.context.ContextLoader > > > > > Context initialization failed > > > > > org.springframework.beans.factory.UnsatisfiedDependencyException: ... > > > > > Caused by: org.springframework.beans.factory.BeanCreationException: > > > > > Error creating bean with name 'authorizer': FactoryBean threw > > > > > exception on object creation ... Caused by: > > > > > org.apache.nifi.authorization.exception.AuthorizerCreationException: > > > > > jakarta.xml.bind.UnmarshalException - with linked exception: > > > > > [org.xml.sax.SAXParseException; systemId: > > > > > file:/C:/nifi-2.5.0-bin/nifi-2.5.0/./conf/users.xml; lineNumber: 8; > > > > > columnNumber: 16; cvc-complex-type.2.1: Element 'user' must have no > > > > > character or element information item [children], because the type's > > > > > content type is empty.] ... > > > > > > > > > > Based on standard troubleshooting, here is a list of the steps I have > > > > > already taken: > > > > > > > > > > 1. Configured security files (authorizers.xml, users.xml) and > > > > > verified the configuration multiple times. > > > > > > > > > > 2. Confirmed the 'Initial Admin Identity' is correctly set in both > > > > > the access policy provider and the managed authorizer blocks. > > > > > > > > > > 3. Ensured the 'User Group Provider' property is correctly defined in > > > > > all relevant sections of authorizers.xml. > > > > > > > > > > 4. Corrected the 'nifi.security.user.authorizer' property in > > > > > nifi.properties to point to 'managed-authorizer'. > > > > > > > > > > 5. Confirmed the users.xml file has the correct structure (groups > > > > > before users, valid tags, etc.) and contains the admin user > > > > > definition. > > > > > > > > > > 6. Recreated users.xml from scratch using a clean text editor and > > > > > from the command line to rule out hidden character or formatting > > > > > issues. > > > > > > > > > > 7. Performed a complete and clean reinstallation of NiFi 2.5.0, > > > > > deleting all old files and re-applying the configuration. > > > > > > > > > > 8. Confirmed that the user running NiFi has Full Control permissions > > > > > over the NiFi installation directory. > > > > > > > > > > Despite all these steps, the error persists. > > > > > > > > > > This is an unusual issue, and I'm at a loss for what to try next. > > > > > Could someone please provide some guidance on what might be causing > > > > > this error, or if there's something I've missed? > > > > > > > > > > Thank you for your time and expertise. > > > > > > > > > > Best Regards, > > > > > > > > > > Dana
